convex-http-actions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill directly ingests untrusted third-party/user-generated content (webhook bodies and form/file uploads) via HTTP endpoints such as /webhooks/stripe, /webhooks/github, /webhooks/clerk, /api/form and /api/upload where the handlers call request.json()/request.text()/request.formData() and process that content as part of their workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes explicit Stripe/payment gateway integration: it constructs a Stripe client with STRIPE_SECRET_KEY, verifies Stripe webhook signatures, and handles payment-related events (e.g., "checkout.session.completed", subscription updates) that call internal payment/subscription mutations. This is a specific payment gateway integration (not a generic HTTP tool), so it grants direct financial execution capabilities.